Online Behavioural Advertising (OBA)
Follow Up Research Project

A report prepared by the Technology Analysis Branch of the Office of the Privacy Commissioner of Canada

June 2015

---

Background

Online Behavioural Advertising (OBA) involves tracking consumers’ online activities, across sites and over time, in order to deliver advertisements targeted to the consumers’ apparent interests. Behavioural advertisers often use sophisticated algorithms to analyze web histories, build detailed personal profiles of users, and assign them to various interest categories. Interest categories are then used to present ads thought to be relevant to users in those categories. Ads can also be targeted based on specific websites that users have visited recently (often called retargeting or remarketing).

In December, 2011, The Office of the Privacy Commissioner of Canada (OPC) issued guidelines^{Footnote 1} to help the various organizations involved in OBA ensure that their practices are fair, transparent, and in accordance with PIPEDA. One of the foundations of the guidelines, described fully in a supporting policy document,^{Footnote 2} is that OBA involves the collection of personal information:

Taking a broad, contextual view of the definition of personal information, the OPC will generally consider information collected for the purpose of OBA to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising.

The guidelines also stated that opt-out consent for OBA could be considered reasonable under PIPEDA provided it is carried out under certain parameters:

• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
• Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioural advertising;
• Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
• The opt-out takes effect immediately and is persistent;
• The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
• Information collected and used is destroyed as soon as possible or effectively de-identified.

In addition, two restrictions were stipulated:

Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.

…

PIPEDA requires meaningful consent for the collection, use and disclosure of personal information. It is difficult to ensure meaningful consent from children to online behavioural advertising practices. Therefore, as a best practice, organizations should avoid tracking children and tracking on websites aimed at children.

If these conditions and restrictions are not met, and an organization wishes to continue to use OBA, then explicit consent is required.

Even though our guidelines were widely distributed and discussed, and an industry-led self-regulatory program (see below) was subsequently launched, advertising practices may not be consistent. Previous observations of major websites and the ads they contain suggested that, while ads are often tailored based on past web activities, there may be little notice of OBA practices and no easy ability to opt out.

Further, we have now looked at OBA practices in three PIPEDA investigations. In the Nexopia case^{Footnote 3} we found that the company was not properly informing its users about the use of OBA on its website, or providing an effective way for users to opt out. The company made changes to their site so that a prominent notice appears on many pages that contain ads inviting people to learn about, and potentially opt out of, OBA practices.

In the Google Health Ads case^{Footnote 4} we found that the company was tailoring ads based on web activities related to a sensitive health topic (Continuous Positive Airway Pressure (CPAP) devices used to treat sleep apnea), contrary to our guidelines and Google’s own policies. Google has since changed its practices to monitor and deter this kind of OBA.

In the Ganz case^{Footnote 5} our investigation found that the company was not fully aware of the OBA practices of its advertising partners, and that special measures were needed to ensure that advertisers were not conducting OBA for child users. The company has since put in place measures to address this situation.

Even with these cases, the OPC has not yet systematically looked at current OBA practices across a range of sites and advertisers. The purpose of this research project was to gather data on current practices. This activity was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. Instead it was an opportunity to observe advertising practices across a range of web sites and advertising organizations, and a method to gather data for analysis and discussion.

Types of Advertisement Placements

Ads can be placed in a number of ways including randomly, contextually based on the content of the web page, geographically based on apparent location, and through behavioural targeting. It can be difficult to determine why a particular ad was placed during a specific page visit. For this project we adopted strict criteria for identifying behaviourally targeted ads. For an ad to be considered OBA, it had to be directly related to the interest topic being tested or lead to a site that was visited earlier.

For some of the tests, we visited the ad preferences pages provided by Google^{Footnote 6} and Yahoo! ^{Footnote 7}to determine any interest categories that these organizations had assigned. We used this information to guide, but not necessarily restrict, our assessment of the nature of the ads.

The AdChoices Program

The advertising industry has developed self-regulatory programs to govern advertisements online. For example, the Digital Advertising Alliance of Canada (DAAC) encourages organizations to provide notice of advertising practices to Internet users, and an ability to opt out of OBA programs. A central feature of the program is an icon to be attached to OBA ads:

The core feature of the Canadian program is the “AdChoices” icon. The icon, now widely used in the U.S. and across Europe, tells consumers that participating companies adhere to an accepted set of principles that provide consumers with transparency and control over interest-based ads. The icon links to information about interest-based advertising and an online tool that allows consumers to opt out from this type of advertising if they choose.^{Footnote 8}

As of September 2014, 57 companies had begun registering for the DAAC program. Nevertheless, it appears that many ads may be appearing on websites frequently used by Canadians without the AdChoices icon, or any other form of notification and opt-out.

The purpose of the current project, then, was to research current OBA practices being experienced by Canadians and raise awareness among industry and consumers about the importance of protecting privacy.

For this project we developed a simple, straightforward method of researching online advertising. We used a computer program to control a web browser and instructed it to visit a number of sites related to a particular topic (e.g., golfing) for about an hour and, once that was done, we then visited general interests sites (such as news and weather) and looked for ads related to the topic. This was a simple procedure that allowed us to quickly observe the most obvious forms of ad targeting. More subtle procedures that involved more varied, longer lasting online activities might reveal different advertising practices, but the simple procedure was appropriate for our purposes.

Since advertising programs and content change, the website research was conducted in four rounds spaced over a 4-month period.

Websites

In September 2014, a list of the top 500 websites in Canada based on popularity was copied from Alexa^{Footnote 9} and the sites were selected if they matched all of the following criteria:

1. does not require a login to experience main content or service
2. likely to contain ads
3. contains significant content concerning Canada and Canadians, and likely visited by Canadians
4. subject to PIPEDA (not Privacy Act)
5. safe for work (excludes sites focused on adult content)

This screening resulted in a total of 46 websites. In order to ensure that ads were seen, for some sites a specific page was visited instead of the home page (e.g., the Ottawa page for Kijiji). The sites that were included in the research are shown below:

Interest Topics

Twelve interest topics were chosen either because our observations suggested that they often result in targeted ads, or literature reports suggested that they sometimes resulted in OBA.^{Footnote 10} The topics were chosen to include both non-sensitive topics (e.g., golfing) and sensitive topics related to personal or health issues (e.g., pregnancy test). The topics that were tested are shown below:

Non-sensitive	Sensitive
European travel digital camera golfing shopping women shoes shopping	depression cures liposuction clinic bankruptcy HIV datingc women's shelter CPAP pregnancy test divorce lawyer

Testing Software

Specialized software was developed for the tests. This software used the Watir Webdriver toolkit^{Footnote 11} to control a Firefox web browser and enable automatic visits to websites. During a visit to a page, the software automatically recorded all of the network traffic coming into or out of the browser to provide a record of how a page was constructed. In addition, the software captured a screenshot of the web page and saved a Portable Networks Graphics (PNG) image.

Test Procedure

The automated test procedure was repeated for each of the 12 interest topics that were examined. There were two phases for each session: induction and testing. Induction involved creating an apparent interest in the topic being examined. This was done by conducting a Google or Bing search using the search term (e.g., “pregnancy test”). The search results page was then examined by the software and every link was visited in turn. The induction phase typically involved visiting approximately 35 sites that were related to the topic in question.

The second testing phase in each session involved visiting each of the 46 sites selected for the study. These sites were visited in a random order to reduce any possible order effects (e.g., it is possible that more ads could be seen if induction was completed recently). A screenshot was captured for each website and preserved for later manual analysis. When advertising of interest was seen, the record of network traffic was examined to determine which advertising organization placed the ad.

A new browser profile was created for each test session (i.e., for each topic). This ensured that the browser did not contain any cookies or cache data prior to the induction phase.

Analysis

A testing session involved 46 websites and 12 interest topics, resulting in a total of 552 screenshots. Each screenshot was examined for the presence of ads in two passes. In the first pass, image mark-up software was used to highlight (using a red oval) each ad shown on the page. In the second pass the ads on a page were counted and categorized into 6 categories depending on whether the ad was related to the interest topic or not, and if there was the Ad Choices icon or other notice about advertising practices in or near the ad. This analysis resulted in 6 categories:

1. off-topic, no ad notice
2. off-topic, AdChoices icon
3. off-topic, other ad notice
4. on-topic, no ad notice
5. on-topic, AdChoices icon
6. on-topic, other ad notice

Frequency of Ads and Targeting

On average, we observed about 3.8 ads per page, with some pages only showing one or two ads and other pages showing six to eight ads. Across the 4 testing sessions we observed and examined nearly 9,000 ads.

Targeted ads related to the topics that we tested tended to appear about 3% of the time (i.e., approximately 300 ads), and within this set we saw ads related to eight of the topics that we tested (European travel, digital camera, golfing, women’s shoes, liposuction, bankruptcy, pregnancy test, divorce lawyer). While this might seem to be a low rate of OBA, it is not surprising given the simple method we used to induce an apparent interest and the brief testing sessions employed here. The approximately 300 targeted ads observed were distributed across the majority of the websites that we examined (24 out of 46, 52%).

Providing Notice and Opt-Out for Targeted Ads

When reviewing all the ads that we saw, both on and off topic, the AdChoices icon appeared about 35% of the time. The remaining ads did not display the icon, or any other information about the ad. Use of the icon would not be expected for all of the ads, however, because they may have been placed using non-behavioural methods (e.g., randomly, contextually, etc.).

When looking specifically at ads that were targeted based on the interest topics we tested, the vast majority had the AdChoices icon. In fact, for the approximately 300 targeted ads that we examined, we only observed 11 cases (3.7%) where there was no icon. Thus, when considering all the advertising that we reviewed, adoption of the AdChoices program for behaviourally targeted ads was very high (96.3%).

Only one website, monster.ca, used an OBA notice that was not the AdChoices icon. Instead this site had a link near their ads labeled “interest based ad”, and this link led to information about Monster’s advertising practices and an option to opt out of their cookie. We never saw any ads on monster.ca related to the interest topics that we tested.

OBA Without Notice and Opt-out

Even with the high overall rate of icon usage, we did observe targeted ads appearing without any form of notice and opt-out. Some organizations used the icon inconsistently while others never provided any form of notification and opt-out. We observed targeted advertisements without notification being placed by four different organizations:

Organization	Topics
Flyertown	digital camera, luggage
Google	smartphone, air travel, bankruptcy
MediaMath	European travel
AppNexus	European travel

OBA on Sensitive Topics

We also observed 34 examples of targeted ads based on sensitive topics being placed by three different organizations who were using an opt-out model of consent. Our guidance on OBA specified that an opt-out model is not acceptable where sensitive information is at issue, including sensitive information such as medical or health information.

Most of the ads on sensitive topics did appear with the AdChoices icon, but it is interesting to note that one organization (Google) placed the same ads for bankruptcy services with the icon on some sites and without it on others.

Organization	Topic	Icon
Criteo	pregnancy test	with icon
Google	bankruptcy	with and without icon
Google	divorce lawyer	with icon
AdRoll	liposuction	with icon

We did not see any targeted ads for the topic of depression during our automated tests. However, during manual tests we did see ads placed by Criteo for a depression treatment device.

Retargeting and Sensitive Topics

All of the ads on sensitive topics were for sites or services that were visited during the induction phase of the tests. This means that the ads were likely placed using retargeting techniques rather than the establishment of interest categories. In fact, we never observed an interest category being created when conducting any of the tests on sensitive topics.

Retargeting is an advertising technique where ads are targeted based on specific websites that users have visited recently (e.g., a specific store). Our prior investigation of Google related to CPAP ads found that the problematic ads were being placed using retargeting. In that case we agreed with the complainant that his online activities and viewing history of health related websites constituted sensitive information and that the implied (opt-out) consent used in OBA was not appropriate. We recommended, and Google agreed, that no sensitive interests should be used to deliver advertisements without express consent. Google made changes to their procedures to enforce their policies on retargeting related to CPAP devices, and these seem to have been successful. However, the present results show that retargeting is taking place for other sensitive topics, both by Google and by others.

An important issue to be considered is how to define what constitutes a sensitive topic. Under PIPEDA, while medical and income records are almost always considered sensitive, other information may be considered sensitive depending on the context.

The reasonable expectations of the individual are also relevant in determining the proper form of consent.^{Footnote 12} For OBA, the question is whether a reasonable person would expect that information about their online activities could be used to deliver targeted advertising when they visit other, unrelated websites.

The concept of sensitive personal information has also been discussed in other ways. Information could be considered sensitive personal information if the collection, use, or disclosure (alone or when combined with other information):

• could lead to personal harm, financial or reputational damage, or embarrassment of an individual
• could reveal deeply personal or intimate details of the lifestyle and personal choices of an individual

In sum, if personal information used for OBA could be considered sensitive, then an opt-out model of consent is not appropriate. Organizations wishing to use sensitive personal information for OBA purposes would have to obtain opt-in consent.

Results Summary

The results of our research can be summarized as follows:

• of the approximately 9,000 ads that we reviewed, the AdChoices icon appeared with only a minority of ads (35%), but most ads were also not targeted
• all but one organization used the AdChoices icon to provide notice and opt-out
• targeted ads related to the topics that we tested appeared about 3% of the time (approximately 300 ads), and we saw ads for most of the topics that we tested
• the vast majority of the targeted ads (approximately 96.3%) appeared with notice and opt-out
• the remaining 3.7% of targeted ads, (11 cases) did not have the icon or any other form of notice and opt-out
• the approximately 300 targeted ads that we observed appeared across a majority of the websites used for the research (24 out of 46, 52%)
• we observed multiple examples of advertisements that were targeted based on activities for topics that we consider sensitive (pregnancy test, bankruptcy, liposuction, divorce lawyer, depression), and these ads were placed without opt-in consent by 3 advertising organizations using retargeting

Testing Opt-Out

Also, as part of the study, we went on to observe the opt-out procedures that consumers experience if they click on the AdChoices icon. We saw that the placement of the Ad Choices icon can be inconsistent. Sometimes the icon is placed within the ad, often in the top right corner, and at other times the icon is placed near the ad. In a few cases (usually involving Google ads) an “X” icon appeared beside the AdChoices icon, potentially causing confusion. Further, at times the icon appeared with the text label “AdChoices” while at other times the label was not present or only appeared if the user moved the mouse cursor over the icon.

Clicking on the Ad Choices icon did not lead to a consistent experience. Sometimes information about the advertising program appeared in place of the ad (i.e., in the same frame), at other times users were brought to a separate website, and sometimes both things occurred. We also observed that users could be brought to a variety of different websites and be shown a variety of opt-out interfaces, with little consistency.

The process of opting-out was also generally inconsistent, with some sites offering clear instructions and opt-out options and others offering unclear information and cumbersome procedures. Better opt-out sites (e.g., Truste, Chango) tended to offer a clear and obvious hyperlink that referenced “opt-out”, including the use of prominent font sizes and colours. With other sites, however, the term “opt-out” was not used or easily found and users often had to scroll through text to find the appropriate link (e.g., Adobe, Amazon). Sometimes it was particularly hard to find the opt-out option, with some sites (e.g., Google) requiring up to four clicks before the user could opt out.

Actually using the opt-out function was also problematic. In some cases there was no feedback that the opt-out had been accepted and, when a user revisited the opt-out page, there was no indication that they were now opted out.

Users wishing to opt out of OBA generally often had to visit multiple opt-out sites in order to register their preferences. Clicking on the icon for a particular ad may only lead to an opt-out for that particular advertising organization or a small group of OBA companies (this was often the case with Ghostery). Users were often faced with finding and visiting an industry-wide opt-out program to register a general preference. There was also a lack of consistency on which industry-wide opt-out program users were led to. Even for websites clearly popular with Canadians, users could end up at U.S. or European opt-out programs. In fact, being brought to the Canadian AdChoices program was fairly rare. Further, some of the companies that were listed in the industry-wide opt-out pages do not provide an opt-out option there, and users would have to visit each of these organizations to learn about any options that are available.

In summary, we found that using the AdChoices icon was often difficult. The experiences were often very different when each icon was clicked, the information provided was not always clear, and it was often difficult to find the opt-out option. Users wishing to express a general preference across different advertising organizations were also faced with multiple interfaces and websites, and this could easily lead to confusion and frustration.

Limitations of the Study

The research conducted here only involved a small sample of websites used by Canadians. A larger sample that included smaller sites that are not as popular might have produced different results.

We also observed that some of the websites we examined had advertising-like material that was labelled as “sponsored” or “related” content. This practice is often called advertorials or native advertising, and it can involve the placement of brand content in a manner than resembles articles. These advertising-like placements could be targeted on the basis of OBA, but it can be difficult to determine a direct link to prior online behaviour and we did not include them in the current analysis.

Conclusions

The purpose of this research was to observe the OBA practices on major websites of interest to Canadians. Using simple testing methods, we were able to see that OBA is being used on just over half of the websites used for the research. For most OBA ads the AdChoices icon is being used to provide notice and an ability to opt out, but some targeted ads did appear without any form of knowledge and consent. Further, we observed multiple examples where ads were targeted based on prior online activities that were related to sensitive topics without opt-in consent.

Where targeted ads appeared, we found that the procedures for opting out of OBA were often unsatisfactory. The experiences were often very different when each icon was clicked, the information provided was not always clear, and it was often difficult to find the opt-out option. Users wishing to express a general preference across different advertising organizations were also faced with multiple interfaces and websites, and this could easily lead to confusion and frustration.

Recommendations for Industry

Providing notice of OBA practices and ability to opt out is improving, but there remain important areas for improvements. Advertising organizations need to ensure that knowledge and consent is provided for all targeted ads. Websites need to ensure that the advertising organizations that they work with meet the requirements outlined here. Advertising organizations that rely on opt-out consent must avoid targeting based on sensitive topics, and they need to closely monitor the use of retargeting. Finally, advertising organizations and industry groups need to improve the opt-out procedures so they are clear, consistent, and usable.

Recommendations for Consumers

Individual consumers can take some control over the advertising that they see. If an individual does not want to see behaviourally targeted advertisements they should learn to control the privacy features in their browsers. Most browsers, for example, provide methods to block and clear the cookies that are used for behavioural advertising. There are also popular browser plugins or add-ons that provide some control over the advertising that is seen.

Consumers should also take advantage of the opt-out procedures that are available, even if they can be difficult to use. Effective opt-out may require the installation of a browser plugin or add-on to ensure that an opt-out preference is retained when the browser cookies are removed.